diff --git a/go.mod b/go.mod
index a6fac92..89143b3 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.20
 
 require (
 	github.com/XSAM/otelsql v0.24.0
-	github.com/cockroachdb/cockroach-go/v2 v2.3.5
+	github.com/cockroachdb/cockroach-go/v2 v2.3.6
 	github.com/coreos/go-oidc/v3 v3.6.0
 	github.com/friendsofgo/errors v0.9.2
 	github.com/gin-contrib/cors v1.4.0
diff --git a/go.sum b/go.sum
index 5ed5c0f..e285f2a 100644
--- a/go.sum
+++ b/go.sum
@@ -122,8 +122,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/cockroachdb/cockroach-go/v2 v2.3.5 h1:Khtm8K6fTTz/ZCWPzU9Ne3aOW9VyAnj4qIPCJgKtwK0=
-github.com/cockroachdb/cockroach-go/v2 v2.3.5/go.mod h1:1wNJ45eSXW9AnOc3skntW9ZUZz6gxrQK3cOj3rK+BC8=
+github.com/cockroachdb/cockroach-go/v2 v2.3.6 h1:Wlv9TzkrG9V7i6u8dEtmXPrBzvfFp+CgJNs696rAajM=
+github.com/cockroachdb/cockroach-go/v2 v2.3.6/go.mod h1:1wNJ45eSXW9AnOc3skntW9ZUZz6gxrQK3cOj3rK+BC8=
 github.com/coreos/go-oidc/v3 v3.6.0 h1:AKVxfYw1Gmkn/w96z0DbT/B/xFnzTd3MkZvWLjF4n/o=
 github.com/coreos/go-oidc/v3 v3.6.0/go.mod h1:ZpHUsHBucTUj6WOkrP4E20UPynbLZzhTQ1XKCXkxyPc=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
diff --git a/pkg/api/v1alpha1/router.go b/pkg/api/v1alpha1/router.go
index 87ecf24..82d629b 100644
--- a/pkg/api/v1alpha1/router.go
+++ b/pkg/api/v1alpha1/router.go
@@ -596,6 +596,7 @@ func (r *Router) Routes(rg *gin.RouterGroup) {
 		"/extensions/:eid",
 		r.AuditMW.AuditWithType("UpdateExtension"),
 		r.AuthMW.AuthRequired(updateScopesWithOpenID("governor:extensions")),
+		r.mwUserAuthRequired(AuthRoleAdmin),
 		r.updateExtension,
 	)
 
@@ -619,6 +620,7 @@ func (r *Router) Routes(rg *gin.RouterGroup) {
 		"/extensions/:eid/erds",
 		r.AuditMW.AuditWithType("CreateExtensionResourceDefinition"),
 		r.AuthMW.AuthRequired(createScopesWithOpenID("governor:extensions")),
+		r.mwUserAuthRequired(AuthRoleAdmin),
 		r.createExtensionResourceDefinition,
 	)
 
@@ -640,6 +642,7 @@ func (r *Router) Routes(rg *gin.RouterGroup) {
 		"/extensions/:eid/erds/:erd-id-slug",
 		r.AuditMW.AuditWithType("UpdateExtensionResourceDefinitionByID"),
 		r.AuthMW.AuthRequired(updateScopesWithOpenID("governor:extensions")),
+		r.mwUserAuthRequired(AuthRoleAdmin),
 		r.updateExtensionResourceDefinition,
 	)
 
@@ -647,6 +650,7 @@ func (r *Router) Routes(rg *gin.RouterGroup) {
 		"/extensions/:eid/erds/:erd-id-slug/:erd-version",
 		r.AuditMW.AuditWithType("UpdateExtensionResourceDefinitionBySlug"),
 		r.AuthMW.AuthRequired(updateScopesWithOpenID("governor:extensions")),
+		r.mwUserAuthRequired(AuthRoleAdmin),
 		r.updateExtensionResourceDefinition,
 	)
 
@@ -654,6 +658,7 @@ func (r *Router) Routes(rg *gin.RouterGroup) {
 		"/extensions/:eid/erds/:erd-id-slug",
 		r.AuditMW.AuditWithType("DeleteExtensionResourceDefinitionByID"),
 		r.AuthMW.AuthRequired(deleteScopesWithOpenID("governor:extensions")),
+		r.mwUserAuthRequired(AuthRoleAdmin),
 		r.deleteExtensionResourceDefinition,
 	)
 
@@ -661,6 +666,7 @@ func (r *Router) Routes(rg *gin.RouterGroup) {
 		"/extensions/:eid/erds/:erd-id-slug/:erd-version",
 		r.AuditMW.AuditWithType("DeleteExtensionResourceDefinitionBySlug"),
 		r.AuthMW.AuthRequired(deleteScopesWithOpenID("governor:extensions")),
+		r.mwUserAuthRequired(AuthRoleAdmin),
 		r.deleteExtensionResourceDefinition,
 	)
 
@@ -669,6 +675,7 @@ func (r *Router) Routes(rg *gin.RouterGroup) {
 		"/extension-resources/:ex-slug/:erd-slug-plural/:erd-version",
 		r.AuditMW.AuditWithType("CreateSystemExtensionResource"),
 		r.AuthMW.AuthRequired(createScopesWithOpenID("governor:extensionresources")),
+		r.mwUserAuthRequired(AuthRoleAdmin),
 		r.createSystemExtensionResource,
 	)
 
@@ -690,6 +697,7 @@ func (r *Router) Routes(rg *gin.RouterGroup) {
 		"/extension-resources/:ex-slug/:erd-slug-plural/:erd-version/:resource-id",
 		r.AuditMW.AuditWithType("UpdateSystemExtensionResource"),
 		r.AuthMW.AuthRequired(createScopesWithOpenID("governor:extensionresources")),
+		r.mwUserAuthRequired(AuthRoleAdmin),
 		r.updateSystemExtensionResource,
 	)
 
@@ -697,6 +705,7 @@ func (r *Router) Routes(rg *gin.RouterGroup) {
 		"/extension-resources/:ex-slug/:erd-slug-plural/:erd-version/:resource-id",
 		r.AuditMW.AuditWithType("DeleteSystemExtensionResource"),
 		r.AuthMW.AuthRequired(createScopesWithOpenID("governor:extensionresources")),
+		r.mwUserAuthRequired(AuthRoleAdmin),
 		r.deleteSystemExtensionResource,
 	)